I'm totally jazzed about our newest contributing writer. If all goes well, hopefully we can convince to be a more regular contributor. In order to do so, please suggest other tutorials you'd like from Mr. Wilhelm.

Also, there is an assignment at the end of this tutorial. Please feel free to discuss it, but don't give away the answers. Let's not make it too easy for others.

Many people are familiar with John the Ripper (JTR), a tool used to conduct brute force attacks against local passwords. The application itself is not difficult to understand or run... it is as simple as pointing JTR to a file containing encrypted hashes and leave it alone. In a professional penetration test, we don't always have the time to allow JTR to run to completion, and we must rely on some additional techniques to speed things up including the use of wordlists or dictionaries. JTR comes with its own wordlist containing supposedly common passwords, and we can use that dictionary to identify some low-hanging fruit. However, in most cases, the supplied JTR wordlist is woefully inadequate in identifying a wide-range of commonly-used passwords, especially when people prefer to select passwords that have some meaning to them (e.g. hobbies, partner names, child names, and pet names). So how can we improve our use of JTR to catch passwords that have relevancy to the users of our target system? It may be a bit more complicated than it seems.

The Information Systems Security Assessment Framework (ISSAF) provides an adequate methodology when focusing on password attacks and includes the suggestion of using dictionaries. For those who conduct penetration testing, the use of dictionaries is only one of two prongs used in attacking a local, encrypted password list; brute force attacks are conducted after we have attempted to break passwords using dictionaries. In this fashion, we can (hopefully) obtain weak passwords to work against during the pentest; anything discovered during the brute force attack (assuming it is too late in our pentest to use then) can simply be added to our wordlist for future penetration test projects.

Ziggy / Wordlists:Not sure where I got mine; I know they came from the Interwebs

Chris / JTR not working:There are numerous reasons why jtr might not recognize your hash. It is in situations like this where I like to use Skype for my hacking dojo students, so I can see what they're doing (via desktop sharing plugin).

Sounds like folks like this one. Soon as I have some time (maybe the weekend?????) I'll find my wordlists, and see if I can crack these. In the meantime, I wrote a bash script and quickly did the 5th item...

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

Yep... these weren't bad at all, but thanks to Tom for his 'homework,' and for the reminder to look at other things (like base64 and foreign character interpretation / calculation / encryption.) I used JTR for 4 of the 5, and a quick bash script for the last...

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

Yeah. If you have it, BT4 works well. In fact, I used BT4-r1 BlackHat edition, and it had all the necessary patches installed, already, for jtr. So that, and my slightly tweaked French wordlist, and it was a fast crack session.

Good luck, and if you need further help, feel free to PM me on here, or heck, even ask grendel, himself!

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'